From: Peter Robinson <pbrobinson@gmail.com>
To: u-boot@lists.denx.de
Subject: [U-Boot] [PATCH v2 1/3] rsa: Fix build with OpenSSL 1.1.x
Date: Tue, 18 Apr 2017 17:58:35 +0100 [thread overview]
Message-ID: <CALeDE9PtKgPNwNZd0M1-_gqW5Oe+EJWiLfEwbPXNasiVp3t+OQ@mail.gmail.com> (raw)
In-Reply-To: <CAN1kZoriv=MTGkbSRp3F9tZb2fUswVggQCSwdiQKoz3QMr5Kjw@mail.gmail.com>
On Wed, Apr 5, 2017 at 10:49 AM, Mario Six <mario.six@gdsys.cc> wrote:
> Hi Jelle,
>
> On Tue, Apr 4, 2017 at 11:59 PM, Jelle van der Waa <jelle@vdwaa.nl> wrote:
>> @@ -20,6 +20,19 @@
>> #define HAVE_ERR_REMOVE_THREAD_STATE
>> #endif
>>
>> +#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
>> +void RSA_get0_key(const RSA *r,
>> + const BIGNUM **n, const BIGNUM **e, const BIGNUM **d)
>> +{
>> + if (n != NULL)
>> + *n = r->n;
>> + if (e != NULL)
>> + *e = r->e;
>> + if (d != NULL)
>> + *d = r->d;
>> +}
>> +#endif
>> +
>
> Like in the other patch, this function should be static (also, missing #include
> <openssl/bn.h> in this file as well).
>
>> @@ -548,7 +568,8 @@ int rsa_get_params(RSA *key, uint64_t *exponent, uint32_t *n0_invp,
>> if (0 != rsa_get_exponent(key, exponent))
>> ret = -1;
>>
>> - if (!BN_copy(n, key->n) || !BN_set_word(big1, 1L) ||
>> + RSA_get0_key(key, NULL, &key_n, NULL);
>> + if (!BN_copy(n, key_n) || !BN_set_word(big1, 1L) ||
>> !BN_set_word(big2, 2L) || !BN_set_word(big32, 32L))
>> ret = -1;
>>
>
> Your're loading the parameter e into key_n here! It should be
>
> RSA_get0_key(key, &key_n, NULL, NULL);
>
> instead.
>
> Like I said in the previous patch, you will have to #ifdef out more functions
> in this file:
>
> * SSL_load_error_strings
> * OpenSSL_add_all_algorithms
> * OpenSSL_add_all_digests
> * OpenSSL_add_all_ciphers
> * ENGINE_cleanup
> * CRYPTO_cleanup_all_ex_data
> * ERR_free_strings();
> * EVP_cleanup
>
> And you'll also have to replace SSL_library_init() with
> OPENSSL_init_ssl(0, NULL).
>
> After making all these changes, I was able to build a working U-Boot (for our
> controlcenterdc board) against OpenSSL 1.1 that loaded a signed FIT-Image that
> a previous U-Boot also loaded.
Jelle,
are you planning a v3 to address the above issues, it would be useful
to get this resolved for 2017.05
Peter
next prev parent reply other threads:[~2017-04-18 16:58 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-04-04 21:59 [U-Boot] [PATCH v2 1/3] rsa: Fix build with OpenSSL 1.1.x Jelle van der Waa
2017-04-04 21:59 ` [U-Boot] [PATCH v2 2/3] rsa: Fix deprecated warnings for " Jelle van der Waa
2017-04-04 21:59 ` [U-Boot] [PATCH v2 3/3] tools: kwbimage fix build with " Jelle van der Waa
2017-04-05 9:34 ` Mario Six
2017-04-05 9:49 ` [U-Boot] [PATCH v2 1/3] rsa: Fix " Mario Six
2017-04-18 16:58 ` Peter Robinson [this message]
2017-04-19 14:27 ` Tom Rini
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CALeDE9PtKgPNwNZd0M1-_gqW5Oe+EJWiLfEwbPXNasiVp3t+OQ@mail.gmail.com \
--to=pbrobinson@gmail.com \
--cc=u-boot@lists.denx.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.